By late afternoon on Tuesday, Twitter started buzzing; one of the world's largest news portals was offline, and a hacking group was claiming responsibility. The Syrian Electronic Army (SEA), a pro-Assad hacking group know for their previous campaigns against media organizations, altered the DNS records for the New York Times, Twitter, and the Huffington Post. The group also targeted ShareThis.com, a platform that enables readers to share links to content on a wide range of services, including social media, sites like Reddit, Slashdot, and more.
Twitter had the most issues to deal with, as their domain shortening service (t.co) well as their primary domain and image hosting service (twimg.com) all had their DNS records altered. The attack was possible due to a social engineering campaign launched by the SEA that targeted MelbourneIT, the registrar responsible for hosting the targeted DNS servers.
According to reports, including those from MelbourneIT themselves, the SEA spent some time on this campaign, and created a cleaver Phishing email that eventually snared an unknown reseller's username and password, which granted them access to the domain controls needed to alter DNS settings.
While this attack was bad, things could have certainly been much worse, as other large brands also use MelbourneIT for their DNS, including Yahoo, Google, Microsoft, Adobe, IKEA, and AOL. Fortunately, the account that the SEA compromised didn't share access to those domains.
"Social-engineering and most specifically Phishing is one of the largest attack surfaces we face in the security industry. Hacking through websites and breaching perimeters takes way to much time and usually not worth the effort. Sending a targeted email to a company almost guarantees you access to whatever you want and we aren't capable of handling these types of attacks right now," said Dave Kennedy, the creator of the Social Engineer Toolkit and the founder of TrustedSec, in an email to CSO.
"My question to everyone right now is that if they are targeting resellers, outside parties, and people not always in the company, but control certain aspects of an organization, where does this leave our massive exposures in the cloud?"
In the wake of the Twitter and New York Times attacks, several major brands remain at risk. The risk comes from two angles; the first is exposure to social engineering. Should an attacker gain access to the DNS controls directly, then a situation such as the one that occurred this week could certainly happen again.
The other angle is the use of a registry lock. Since details have started to emerge about how the New York Times, Twitter, and the others were attacked - thanks to disclosures from MelbourneIT, one of the defenses being touted is the practice of applying a Registry Lock flag to critical domains.
Sign up for Computerworld eNewsletters.